While September 11 was the seminal event drawing the world’s attention to the security implications of international commerce, there were always global transportation risks that concerned countries and companies. Some events are naturally occurring, such as storms, risks of contamination or spoilage, water and heat damage to cargo. Others, like smuggling, pilferage, and terrorism are manmade. Following the horrific 2001 terrorist attacks on American soil, the U. S. Congress decided something was needed to address the manmade side of the equation. On November 25, 2002, Congress passed the Maritime Transportation Security Act (MTSA) of 2002, directing the U.S. Department of Transportation (DOT) to develop security measures for domestic maritime facilities and the vessels that call there.
Moreover, DOT was tasked to learn about the anti-terrorism measures in place in foreign ports and to offer training to countries where security standards appeared to be inadequate. These missions transitioned to the Department of Homeland Security when the U.S. Coast Guard was moved to the new department in 2003.
The regulations required by the MTSA were enacted in July 2004. The MTSA is a significant piece of legislation which reinforces the national and global importance of security for the marine transportation system and provides a crucial framework for ensuring the security of maritime commerce and U.S. domestic ports. The goal of the MTSA is to prevent a Transportation Security Incident (TSI)—defined as any incident that results in:
• Significant loss of life
• Environmental damage
• Transportation system disruption
• Economic disruption to a particular area
International Ship and Port Facility Security Code
At the same time the U.S. was working to develop a maritime security regime domestically, the International Maritime Organization (IMO) was looking at the problem from a global perspective. The MTSA of 2002 and the International Ship and Port Facility Security (ISPS) Code, adopted by the IMO in December 2002, work hand in hand supporting maritime security around the world to combat acts of terrorism and piracy. Both maritime security regimes contribute to effective protection against a wide range of threats including piracy, stowaways, smuggling, hijacking, theft, and willful damage. Many parts of these two regulatory codes are the same, word for word, and both were enacted to protect vessels, ports, waterways, and seafarers worldwide. The key principles of the ISPS Code are access control, control of restricted areas, the secure handling of cargo, delivery of stores/supplies to a vessel, security monitoring, security policies and procedures, and security training and exercises.
The ISPS Code does not specify measures that each port facility and ship must take to ensure their safety from terrorism because of the many different types, sizes, and business models of these vessels and facilities. Instead it outlines “a standardized, consistent framework for evaluating risks, enabling governments to offset changes in threat with changes in vulnerability for ships and port facilities.” For ships, the framework includes requirements for ship security plans, ship security officers, company security officers, and certain onboard equipment. For port facilities, the requirements include port facility security plans, port facility security officers, and certain security equipment. In addition, the requirements for ships and port facilities include monitoring and controlling access, monitoring the activities of people and cargo, and ensuring security communications are readily available.
The MTSA directs the secretary of the department to which the Coast Guard is assigned to assess the effectiveness of antiterrorism measures implemented in foreign ports from which U.S. flag and foreign vessels depart on voyages to the U.S., as well as any other foreign port the secretary believes poses a security risk to international maritime commerce bound for the U.S. Hence, the Coast Guard created the International Port Security (IPS) Program in 2004 to accomplish this task. The IPS program aligns the domestic MTSA regulations with the requirements of the IMO’s ISPS Code. This alignment helped domestic and international maritime stakeholders to better understand how each country and their ports implement maritime security measures through an exchange of good ideas and best practices information.
In order to develop a widely acceptable process that incorporates current information, intelligence, and best practices, the Coast Guard developed a selection matrix and survey protocol that drew on the experience acquired during the development of threat level assessments in U.S. mega-ports. Criteria were used to determine which countries would be visited and assessed, as well as, the timing for visits. All countries that export cargo bound for the U.S. or service vessels departing for U.S. ports would be considered for an in-country visit. A methodology was developed to assist in determining the priority for a port visit.
U. S. Facility and Vessel Vulnerability Assessments
Using risk-based methodology, all regulated vessel and facility owners and/or operators must conduct in-depth performance based security assessments of their operations to identify security weaknesses and vulnerabilities. Risk-based decision-making is one of the best tools to assess security and determine appropriate security measures for a vessel or facility. Risk-based decision-making is a systematic and analytical process that measures the likelihood a security breach will endanger an asset, an individual, or a function and identify actions that will reduce the vulnerability to, and mitigate the consequences of, a security breach or TSI.
For example, a security assessment might reveal weaknesses in an organization’s security systems or unprotected access points like the facility’s perimeter not being illuminated or gates not being secured or monitored after hours. To mitigate these vulnerabilities, a facility would implement procedures to ensure access points are observable, secured, and monitored by security patrols or closed circuit television. Another security enhancement might be to place locking mechanisms and/or wire mesh on doors and windows that provide access to restricted areas to prevent unauthorized personnel from entering.
The Security Assessment and on-scene security survey should be documented and retained by the Company Security Officer.
Facility/Vessel Security Plans
The vessel and facility security plans are the backbone of the MTSA of 2002. The MTSA calls for a series of plans at the national, port, and individual vessel/facility level. This concept was already working well for oil spill response. It also was being used to increase the MTSA awareness throughout the maritime community to coordinate information and deal with potential threats. Vessels and facilities that take part in certain cargo or passenger activities must have individual security plans that address fundamental security measures such as access control, communications of establishment of secured areas, cargo-handling or passenger monitoring, personnel training, and incident reporting. The Coast Guard maintains security oversight for 2,777 facilities and 13,500 vessels which must maintain and implement approved plans.
Before a plan is developed, though, each vessel or facility must complete an assessment of the security vulnerabilities specific to the operation. Based on the vulnerability assessment results, a vessel or facility security plan is developed to mitigate the weaknesses identified. The MTSA regulations also require that security plans include information on the qualifications and/or training necessary for all those who have security responsibilities onboard a vessel or at a facility. Vessels and facilities also must keep certain security-related records available to Coast Guard inspectors, as part of an annual inspection or spot check. The owners or operators of MTSA regulated facilities or vessels must make sure their personnel engage in drills and exercises so they are fully aware of their security responsibilities, particularly in times of crisis. Most important, security plans must list the preventative measures to be implemented to deter unauthorized access to the vessel or facility, security measures for protecting secured areas such as the bridge/pilot house or engine room on a vessel, and cargo storage areas and electrical systems for facilities. Security plans must also outline measures for the safe handling of cargo and ships stores, and for bunkering procedures.
The Coast Guard performs announced and unannounced inspections annually to determine whether a vessel or facility is in compliance with the requirements of the MTSA regulations. While making sure the facilities and vessels are compliant, the Coast Guard also has the mandate to enable, not impede, maritime commerce. The implementation of the MTSA regulations was clear in seeking a balance between maritime security and the free ow of trade.
In 2016, the Coast Guard completed thousands of security-related MTSA annual examinations and spot checks at regulated facilities and recorded only a .03% non-compliance with the MTSA regulations by facility owners/ operators. In some cases, examinations of a facility were not conducted due to the facility closing or changing their operations, thus removing them from Coast Guard oversight. The 180 enforcement offenses in 2016 took place at 125 MTSA-regulated facilities and included official letters of warning or administrative civil penalties.
Transportation Worker Identification Credential
Lastly, the MTSA of 2002 directed the Department of Homeland Security to issue regulations to require credentialed merchant mariners and transportation workers seeking unescorted access to secure areas of MTSA-regulated facilities, vessels, and Outer Continental Shelf facilities to undergo a security threat assessment and receive a Transportation Worker Identification Credential (TWIC). Prior to TWIC, specialized facilities with the capability may have chosen to conduct thorough background checks, but there was no standard background check conducted for workers in the nation’s ports. The TWIC program carries out the mandate and is an important piece of the layered approach to maritime security in the United States. TWIC is jointly managed by the Transportation Security Administration (TSA) and the U.S. Coast Guard, where TSA is responsible for enrollments, security threat assessments, credential production, and systems operations. The U.S. Coast Guard is responsible for establishing and enforcing access control requirements for MTSA-regulated vessels and facilities. TSA has processed more than 4.2 million enrollments since the program’s October 2007 inception.
TWICs are tamper-resistant, biometrical enabled identification documents issued to credential merchant mariners operating onboard MTSA regulated vessels and facilities and are part of the access control focused component of the Coast Guard’s overall maritime security program. The TWIC program establishes a minimum uniform vetting/threat assessment across the country. It ensures that workers needing routine, unescorted access to secure areas of facilities and vessels have been vetted against a specific list of disqualifying offenses, which includes terrorism associations and criminal convictions. The Coast Guard views the TWIC as an integral component of our nation’s layered maritime security system. Further, we see having a common credential as a vital enabler for the future, when risk-based access control decisions and intelligence capabilities will be more mature.
TWICs have a number of overt and covert security features which make them difficult to counterfeit. Coast Guard regulations specify how security personnel can, and should, visually assess the validity of a TWIC. TWIC readers enhance security by providing for additional verification of the validity of the TWIC and of the identity of the owner by using the biometric information embedded in the card. These security features and procedures, when properly employed, provide significant security benefits even without the use of a TWIC reader. As a visual identity badge alone, the card is easily recognized and provides a foundation for access authority determination. Security personnel have a single, consistent credential for comparison that allows them, through visual check alone, to:
• Verify that the credential is not expired
• Verify that the person presenting the credential matches the photo on the card
• Examine specific security features to determine whether the credential is authentic
As part of the MTSA security program, facility inspectors conducted tens of thousands of inspections of TWICs both visually and electronically in 2016, identifying a miniscule number of instances of non-compliance with the TWIC requirements. Additionally, the TWIC reader rule requires owners and operators of certain MTSA regulated vessels and facilities to use electronic readers designed to work with TWICs. The Coast Guard published the TWIC reader rule on August 23, 2016, with a two-year implementation period.
The security approaches discussed here have matured significantly since first being implemented in 2004. Numerous improvements have been made to secure facilities and the cargo received for loading on commercial vessels around the world. Vessels developed security standards for their operations to meet the mandates of their flag states and better protect the interface that occurs between the vessel and a facility during cargo or passenger operations. Even simple identification and vetting of employees and seafarers has improved significantly with the development of the TWIC in the U.S., and similar programs in other countries. Most importantly, all of these measures remain flexible and adaptable to the evolving threat of international terrorism and crime.
This article was originally published in Coast Guard Proceedings